摘要
Returned-Oriented-Programming(ROP)攻击能突破传统防御机制如DEP和W⊕X.目前ROP攻击检测误报率较高,无法准确区分ROP攻击与正常指令执行.ROP攻击需执行系统调用完成攻击,执行系统调用前寄存器须设置为正确的值,并且每条x86指令对应一个或多个gadget.基于上述特点,提出一种有效的二进制代码级ROP攻击检测方法:截获返回指令并作为起始点计算gadget数目,并在系统调用执行前判断寄存器是否被修改为与其参数类型相同的值.该方法不依赖启发式学习,能准确检测栈溢出的ROP攻击.通过动态插桩工具实现原型系统,对ROP攻击和正常程序进行了测试,实验结果表明系统漏报率和误报率较低,且性能损失较小.
Return-Oriented-Programming(ROP) attacks can bypass traditional defenses such as DEP and W ⊕ X.Current detection techniques have high false positives w hich are unable to accurately distinguish attacks from normal instruction execution.ROP attacks need to invoke system calls to achieve attacking goal,before w hich registers must be set to correct values;also each x86 instruction corresponds to one or more gadgets.Bases on such characteristics,a new ROP attack defense technique on binary level w as proposed: it intercepts return instructions,from w hich counts the number of gadgets,then check w hether registers have been changed to correct values just before invoking system call.It does not rely on heuristics and provides accurate detection of ROP attacks by stack smashing.Prototype system is implemented w ith dynamic binary instrumentation tool,and w e evaluated the system w ith normal programs and ROP attacks.Experiment results show it causes low false positives and negatives w hile makes little overhead.
出处
《小型微型计算机系统》
CSCD
北大核心
2013年第7期1625-1630,共6页
Journal of Chinese Computer Systems
基金
保密通信国防科技重点实验室基金项目(9140C1104020903)资助
